I have ASA firewall. The Interface is trunk containing 2 vlans (vlan100 vlan 200). That interface is connected to 3750 switch. On the 3750 switch, the vlan 100 and 200 are configured as private vlans which has some isolated and community ports. How can i make the switch interface connected to ASA to support private vlan in Promiscuous state as well as dot1q trunk?
I am afraid this will probably not be possible on 3750 series.
What you need is a functionality that replaces the tag of the secondary VLAN with the tag of the appropriate primary VLAN when a frame goes out that trunk. Without this functionality, the frame will always contain the tag of the secondary VLAN and the ASA will not process it on its subinterface for the primary VLAN.
That functionality is supported on 4500 series switches - it is called the "Promiscuous Private VLAN Trunk Ports". You can find the description and the configuration examples here:
Unfortunately, the documentation for the 3750 series does not describe this functionality so I am afraid it is not supported there. You may want to experiment a bit and see if the commands from the 4500 will be accepted on your 3750 but I am afraid that this won't work.
Other than this, I do not see any other quick solution - except, of course, placing an extra switch between the ASA and the 3750, creating promiscuous ports on 3750 - one for each primary private VLAN, connecting those promisc ports to access ports on the extra switch (each into a different VLAN on that extra switch) and connecting that extra switch with a trunk to the ASA.
Thank you for your reply. Now, this is interesting. This Promiscuous Private VLAN Trunk functionality is actually a very useful feature that, in my opinion, should be present on all switch series that support Private VLANs. Could perhaps Cisco be persuaded to add this functionality to the 3560/3750 series as well? I am asking you because you are a Cisco employee :-)
I am also wondering about the following sentence on the same link :
"On an MSFC port or a nontrunk promiscuous port, you can remap as many isolated or community VLANs as desired; however, while a nontrunk promiscuous port can remap to only one primary VLAN, an MSFC port can only connect an MSFC router."
If I sum up :
Does someone know from what CatOS version "promiscuous trunk" is supported and is there any document clearly stating it ?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...